PM needs to take reins on cybersecurity

Australia's lacklustre cybersecurity plans are set to fail unless they are given oversight by the Prime Minister and long-term strategies are developed by top-level federal ministers and bureaucrats, according to a report into the nation's cybersecurity strategies.

update Australia's lacklustre cybersecurity plans are set to fail unless they are given oversight by the Prime Minister and long-term strategies are developed by top-level federal ministers and bureaucrats, according to a report into the nation's cybersecurity strategies.

Retired deputy chief of the Royal Australian Air Force John Blackburn and industry veteran Dr Gary Waters authored a report stating that the Prime Minister and Cabinet and the Office of the National Security Adviser must take the lead in developing national long-term strategies to avert an otherwise inevitable network-based attack against Australia's critical infrastructure.

This means that the Attorney-General's Department, which forges relationships between government and industry, may need to "relinquish" control of cybersecurity coordination to top federal ministers if strong policy is to be developed.

This means that the Attorney-General's Department ... may need to 'relinquish' control of cybersecurity coordination to top federal ministers

Yet the authors of the Kokoda Foundation report are confident that the government is taking cybersecurity seriously, despite the fact that the precise budget flow is unknown.

They praised the success of defensive efforts by the Attorney-General's Department, such as the Trusted Information Sharing Network, which established security talks between banks, utilities and government, and the Department of Defence's CERT Australia, which warns industry of emerging security threats.

But Blackburn and Waters said other current strategies are short-sighted, and are "not keeping pace" with security threats.

"The actions taken to date have helped highlight the scale of the problem and underscored that more needs to be done in order to address the challenge," the report said.

The government will need to "develop a whole-of-nation, government-led integrated long-term National Cyber Strategy and Cyber Capability Plan, as a subset of the National Security Strategy, with defined responsibilities, identified priorities and dedicated resources", according to the report.

Cybersecurity approached in a national manner and not via a single agency, nor should the government create a cyber tsar as was done in the United States, according to the report. This will avoid what former US presidential cybersecurity advisor Richard Clarke sees as departmental power struggles over control of cyber defence.

The report states that a national cyber strategy must mirror that used for the prevention of physical threats and stretch as long as a decade, despite the fact that the security industry is reactive and on the back foot to emerging threats.

Such a strategy should include "process and structural change" to reduce vulnerabilities and develop "a credible counter-attack capability", according to the report.

The strategy must also build new technology, affect culture change and build ties with "key allies".

Blackburn and Waters proposed in the government and industry-backed report that awareness of cyber threats be extended to all Australians through the creation of a "National Security Innovation Centre", a "virtual Cyber Academy", a "Cyber Test Range" and a "cyber Cooperative Research Centre".

Australia could also gain an edge by copying the Department of Defence's Rapid Prototyping, Development and Evaluation program, which draws on top brains from government departments and industry to develop military capabilities.

Industry jitters regarding intellectual property and a swathe of other problems have already been addressed within the Defence program, the authors said.

These initiatives should be created despite budget cutbacks and growing financial pressures.

"If we do not increase our focus on cyberspace, the threat will grow faster than our response and the cost of addressing the growing threat gap in the future will increase, possibly exponentially," the report said.

Current strategies are short-sighted, and are 'not keeping pace' with security threats

The report's authors also called for antivirus and firewall installations to be mandatory for consumer purchases and suggested a "Slip, Slop, Slap"-type campaign to alert the public of online security threats.

Waters said elements of the industry-created voluntary iCode — which requires internet providers to take responsibility for user security — should be made mandatory.

"There needs to be more thought given to mandating security best practice," he said.

About 70 senior government officials and industry representatives participated in the workshops on which the report is based.

The government welcomed the publication of the report and will consider it when it is published on 4 February.

The Attorney-General's Department said that cybersecurity is a top national security priority and pointed out that the government had invested significantly in Australia's cybersecurity capabilities.

It referred to the government's cybersecurity strategy released in November 2009, leading to CERT Australia, the Cyber Security Operations Centre and the creation of a cyber policy coordinator within the Department of Prime Minister and Cabinet to coordinate cybersecurity activities.

Carousel image credit: House of Representatives

Updated at 8:04pm, 4 January 2011: added comment from the Attorney-General's Department.